User's password in the FluxBB database are SHA1 ciphered. I made a test with my own password and, looking to the
login.php
of FluxBB, it's the sha1()
function that is used.I look quite deeply in how password authentication works in phpBB and it's based on a mechanic where a passwords manager class defined in
passwords/manager.php
delegates the check of the password to one of the drivers stored in passwords/driver
. The choice of the right driver is based on the prefix of the hashed password found in the database for the user. For instance, a $sha1$
prefix will use the sha1.php
driver, perfect for my use case.Thus, I copy all password from my FluxBB users tables to my phpBB users one, prefixing them by the
$sha1$
string. Debugging the thing, it seems to trigger the right driver. But my authentication failed due to a mismatch with the length of the hashed stored in the database. Indeed, here is the code of the check()
function of sha1.php
driver:
Code: Select all
public function check($password, $hash, $user_row = array())
{
return (strlen($hash) == 40) ? $this->helper->string_compare($hash, sha1($password)) : false;
}
$sha1$
, logically, the $hash
is 46 characters long.I also check the password manager class and neither it removes the prefix from the hashed database password before calling the
check()
method, nor it seems to prefix with the right one in its hash()
method.I have no clue on how to import SHA1 encrypted passwords in my installation and make the whole thing works. I'm pretty sure, looking at the code, that's possible, but cannot find how.